How to defend your small business from ‘Insider Threats’

As a small business, one of the biggest threats to your information assets resides within your operatin. The insider threat, intentional or otherwise, is now one of the major concerns in cybersecurity, and with good cause.

So what exactly are the insider threats to small businesses, and how can you mitigate the dangers? We asked Jamie Graves, Co- Founder and CEO of ZoneFox to explain;

Within many organisations these days, users have more access to data than they need. Cloud storage services have created a phenomenon called Shadow IT, permitting users to save potentially confidential data to the cloud for future access, and with the (understandable) requirement of user-friendliness throughout IT assets, security controls are often disabled rather than tuned.

While the insider threat can be a pain in the backside, there are ways to protect yourself and keep your users happy simultaneously.

What is the insider threat?

In order to effectively defend yourself, you need to understand what you’re up against. The insider threat comes in many forms, but you can narrow them down into either malicious/intentional threats, or threats that stem from carelessness or lack of knowledge and skill within your workforce;

You may have a user that thinks it’s okay to throw the classified document that they were editing up onto their favourite cloud storage platform so that they can access it later.

One of your users may provide their credentials to a malicious third-party after being subject to a social engineering attack.

You may have a malicious insider who is looking to steal or destroy data because they are disgruntled or under the employ of a competing organisation.

In the world of startups and small businesses, security controls can sometimes be sacrificed to allow for speed of delivery, lack of knowledge, or user satisfaction.

Now that you better understand the threat, we can help you get a handle on the situation and prepare the right defences.

Defence #1: Create enforceable policies

Good documentation makes a good cybersecurity practice, and policies are a staple in said documentation. Policies back up your decisions, provide guidance for your cybersecurity controls, and give you a base for user education.

Acceptable use, privacy, and mobile computing are three base policies that should exist in most organizations. The policies exist to provide the following:

Acceptable use policy

An acceptable use policy puts parameters around how your assets can be used.

Are your users allowed to store company data in cloud storage?

Are USB drives allowed for backup purposes?

These answers and others should reside in this policy.

Privacy policy

Having a clear privacy policy tells your users what they are able to do with company data.

Does classified data exist on the network? If so, how will your users need to handle it to avoid disclosure?

What safeguards are in place to protect your users’ data?

How is employee data stored and encrypted?

Mobile computing policy

Instilling a mobile computing policy lays out rules for mobile access to company resources.

Do your employees take laptops home?

How do they access company data remotely?

Are there specific rules required for travel to high-risk countries?

Mobile phones; are they provided by the organization or do you live in a BYOD world?

Once you have a base set of policies in place, your next step is to educate your users about their existence, and what it means to them.

Defence #2: User awareness education

A user’s misunderstanding of technology or trusting nature can lead to potentially unwanted situations. Data loss, malware infection, and unauthorized access are just three of the potential threats you face when your users carry on with their business without proper security awareness education.

Facilitating user awareness training is pretty straight-forward in theory, although not always easy to execute. Initially, you will need to provide live training; in person if you have a small team in a central location, or online via webinar if your team is larger and decentralized.

Some of the topics you will want to cover will be:

Existing security policies: how to adhere to their rules for better protection of organizational assets

Phishing email: what to look out for, and how to examine messages for authenticity or malicious content, such as macros

Malware handling: what to do (and who to call) should you get infected

Since your users are generally prime targets for attackers skilled and not so skilled, providing proper education for them can help shore up your defenses and help you mitigate the insider threat.

Keep in mind that your users may forget, so you need to ensure that you keep refreshing your users’ memories! Quarterly or semi-annual training wouldn’t go amiss.

Defence #3: Implement and maintain cybersecurity controls

Along with enforceable policies and educated users, you still need to maintain technical cybersecurity controls within your environment. Users forget elements of training, malicious users ignore policy, and accidents happen.

Here are a few examples of controls you can use to help ensure that your users are adhering to policy and best practices:

Endpoint data loss protection

Endpoint data loss protection (DLP) provides functionality to disable USB storage and block data transfers to cloud services. If you do implement this technology, make sure that you keep the policies relevant and up to date.

Endpoint malware detection

Endpoint malware detection has made some significant progress since the old, signature-based days. With new features such as containerization to help stop malware from executing, implementing this type of control can go a long way to helping prevent accidental launch of malicious executables.

The drawback? This type of technology may require a lot of tuning to ensure that your users can still do their work.

User behaviour analysis

User behaviour analysis can provide valuable insights into what your users are up to, whether they are adhering to policy, and if they are attempting to pilfer data or otherwise harm your organization’s assets.

The upside of these types of tools is that they are relatively low maintenance. The downside is that these solutions can be a bit pricey for small businesses, but worth it if they can be afforded.

Summary

Providing basic cybersecurity controls can go a long way toward mitigating insider threats in your organization. Although you will need to ensure that you’re maintaining your controls, monitoring and logging their output, and using your policies to derive standards by which they should be configured.

While the insider threat can be a plague to modern organisations, whether large or small, it is not an insurmountable obstacle. By creating policies (not too stringent) that add parameters within which your business can run securely, providing regular training to your users to help keep them sharp, and adding some technological controls on top to provide backup when your users slip up, you can go a long way toward mitigation.

About the author

This guide has been written exclusively for ByteStart by Jamie Graves Ph.D is Co- Founder and CEO of ZoneFox, an Edinburgh-based Cyber Security company. Established in 2010, ZoneFox, provides progressive security solutions that protect valuable company data and intellectual property against the Insider Threat, with its patented technology.

More on technology

For more help on tackling technology in your business, try these other ByteStart guides;